ACCESS COMMANDS
swamp access
Manage authorization policies (grants), groups, and access checks.
Subcommands
| Command | Alias | Description |
|---|---|---|
token |
Manage server tokens for user authentication | |
grant |
policy |
Manage authorization grants |
group |
Manage local groups | |
can-i |
Check your own permissions against the server's grants | |
check |
Explain whether a subject can perform an action | |
reload |
Rebuild the policy snapshot from current grants and groups |
swamp access token
swamp access token mint
Mint a server token for user authentication. The plaintext is shown once.
swamp access token mint <name> --principal <principal>| Flag | Required | Default | Description |
|---|---|---|---|
--principal |
Yes | Principal identity (e.g., user:adam) |
|
--email |
No | Display email for the token holder | |
--duration |
No | 30d |
Token lifetime (e.g., 30m, 1h, 24h, 7d) |
--vault |
No | Vault that stores the token plaintext |
swamp access token list
List server tokens: state, principal, expiry, and last use.
swamp access token listswamp access token revoke
Invalidate a server token before it expires.
swamp access token revoke <name>swamp access token rotate
Revoke an existing token and mint a replacement with the same name and principal. The new plaintext is shown once.
swamp access token rotate <name>swamp access grant
swamp access policy is an alias for swamp access grant.
swamp access grant create
Create a new authorization grant.
swamp access grant create --subject <subject> --on <resource>| Flag | Required | Description |
|---|---|---|
--subject |
Yes | Grant subject (e.g., user:adam, group:release-managers, idp-group:platform-eng) |
--allow |
No | Actions to allow (comma-separated: run, read, write, admin) |
--deny |
No | Actions to deny (comma-separated) |
--on |
Yes | Resource selector (e.g., workflow:@acme/*, model:hello) |
--when |
No | CEL condition (e.g., tags.env == "staging") |
--server |
No | Target a remote server (env: SWAMP_SERVE_URL) |
--token |
No | Server token (falls back to stored credential) |
Exactly one of --allow or --deny must be provided.
swamp access grant list
List authorization grants.
swamp access grant list| Flag | Required | Description |
|---|---|---|
--server |
No | Target a remote server (env: SWAMP_SERVE_URL) |
--token |
No | Server token (falls back to stored credential) |
swamp access grant revoke
Revoke an authorization grant.
swamp access grant revoke <grant_id>| Flag | Required | Description |
|---|---|---|
--server |
No | Target a remote server (env: SWAMP_SERVE_URL) |
--token |
No | Server token (falls back to stored credential) |
swamp access group
swamp access group create
Create a local group.
swamp access group create <name>swamp access group add-member
Add a principal to a group.
swamp access group add-member <group> <principal>swamp access group remove-member
Remove a principal from a group.
swamp access group remove-member <group> <principal>swamp access group list
List all groups.
swamp access group listswamp access group members
List members of a group.
swamp access group members <name>swamp access can-i
Check your own permissions against the server's grants.
swamp access can-i| Flag | Required | Description |
|---|---|---|
--action |
No | Action to check (run, read, write, admin) |
--on |
No | Resource to check (e.g., workflow:@acme/deploy) |
--collectives |
No | Comma-separated IdP group memberships to simulate |
--server |
No | Target a remote server (env: SWAMP_SERVE_URL) |
--token |
No | Server token (falls back to stored credential) |
Without --action and --on, lists everything you can do. With both, checks a
specific permission.
swamp access check
Explain whether a subject can perform an action on a resource. Requires admin access.
swamp access check --subject <subject> --action <action> --on <resource>| Flag | Required | Description |
|---|---|---|
--subject |
Yes | Subject to check (e.g., user:adam) |
--action |
Yes | Action to check (run, read, write, admin) |
--on |
Yes | Resource to check (e.g., workflow:@acme/deploy) |
--collectives |
No | Comma-separated IdP group memberships to simulate |
--field |
No | Resource field for condition evaluation (key=value, repeatable) |
--server |
No | Target a remote server (env: SWAMP_SERVE_URL) |
--token |
No | Server token (falls back to stored credential) |
swamp access reload
Rebuild the policy snapshot from current grants and groups. Required after grant
or group changes when using the default --grant-reload manual mode.
swamp access reload| Flag | Required | Description |
|---|---|---|
--server |
No | Target a remote server (env: SWAMP_SERVE_URL) |
--token |
No | Server token (falls back to stored credential) |
Related
- Authorization — the grant model and evaluation semantics
- Serve Flags —
swamp serveflags including--grant-reload